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Abstract 

Systems  that  authenticate  a  user  based  on  a  shared  secret 
(such  as  a  password  or  PIN)  normally  allow  anyone  to  query 
whether  the  secret  is  a  given  value.  For  example,  an  ATM 
machine  allows  one  to  ask  whether  a  string  is  the  secret  PIN 
of  a  (lost  or  stolen)  ATM  card.  Yet  such  queries  are  prohib¬ 
ited  in  any  model  whose  programs  satisfy  an  information- 
flow  property  like  Noninterference.  But  there  is  complexity- 
based  justification  for  allowing  these  queries.  A  type  system 
is  given  that  provides  the  access  control  needed  to  prove  that 
no  well-typed  program  can  leak  secrets  in  polynomial  time, 
or  even  leak  them  with  nonnegligible  probability  if  secrets 
are  of  sufficient  length  and  randomly  chosen.  However,  there 
are  well-typed  deterministic  programs  in  a  synchronous  con¬ 
current  model  capable  of  leaking  secrets  in  linear  time. 

1  Introduction 

A  common  approach  to  authenticating  a  user  is  based  on  a 
shared  secret.  Normally,  anyone  can  ask  whether  the  secret 
is  a  particular  value.  For  instance,  password-based  authen¬ 
tication  allows  anyone  to  ask  whether  a  certain  string  is  the 
password  of  a  given  user.  An  ATM  permits  anyone  to  ask, 
for  a  given  card,  whether  a  string  is  the  hidden  PIN  (Per¬ 
sonal  ID  Number)  of  that  card,  and  so  on.  Formalizing  the 
secrecy  guaranteed  by  systems  that  use  this  form  of  authen¬ 
tication  is  beyond  the  scope  of  information-flow  techniques 
because  their  goal  is  absolute  secrecy. 

For  instance,  suppose  h  is  a  constant  (read-only  variable) 
whose  value  is  a  ft-bit  integer  secret.  If  we  represent  a  query 
as  match(e),  which  is  true  iff  h  =  e,  then  a  brute-force  attack 
on  h  can  be  represented  by  a  simple  loop: 

l  :=  0; 

while  ->match(l)  do 
l:=l  +  1 

An  information-flow  property  like  Noninterference  [5,  15,  12, 
14]  rejects  the  program.  Given  that  h  has  security  class 
H  (high)  and  l  has  security  class  L  (low),  Noninterference 
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requires  that  the  final  value  of  l  be  independent  of  the  initial 
value  of  h — this  plainly  fails  here. 

But  the  loop  is  a  0(2*)  attack,  assuming  the  value  of  h 
is  chosen  at  random.  So  as  long  as  k  is  large  enough  and  the 
value  of  h  is  randomly  chosen,  we  do  not  consider  the  at¬ 
tack  a  threat  and  would  like  a  secrecy  criterion  that  reflects 
this  view.  Our  approach  is  to  adopt  a  relative  criterion  for 
secrecy  that  depends  upon  certain  parameters,  specifically, 
the  number  of  bits  in  a  secret  and  randomness.  The  idea 
is  to  admit  only  those  programs  for  which  it  can  be  proved 
that  sufficiently-long  secrets  cannot  be  learned  in  polyno¬ 
mial  time  or  even  learned  with  nonnegligible  probability  in 
polynomial  time  if  randomly  diosen. 

The  query  expression  match(e)  also  represents  the  most 
basic  tool  any  attacker  has  for  compromising  public-key 
cryptography.  Given  ciphertext  c  that  is  the  result  of  en¬ 
crypting  plaintext  h  with  a  public  key,  an  attacker  can  test 
efficiently  whether  h  is  a  particular  string  e  simply  by  en¬ 
crypting  e  with  the  public  key  and  seeing  whether  the  same 
ciphertext  c  is  produced.  Of  course  the  nonuniform  dis¬ 
tribution  of  plaintext  makes  cracking  a  public-key  system 
with  match  queries  different  from  a  brute-force  attack  on  a 
random  secret.  Good  dictionary  attacks  exploit  the  distri¬ 
bution.  In  this  case,  match  queries  may  not  be  justified  from 
a  complexity  standpoint  and  another  cryptographic  system 
may  be  required. 

In  this  paper,  we  consider  the  problem  of  trying  to  learn 
the  k- bit  integer  value  of  a  constant  h  of  type  H  using  well- 
typed  programs  written  in  a  deterministic  programming  lan¬ 
guage  with  match  queries.  We  require  that  programs  be  well 
typed  in  the  system  of  [15],  except  that  we  allow  the  type 
of  match  queries  to  be  L ,  which  destroys  traditional  Nonin¬ 
terference  properties. 

Instead,  we  argue  for  the  security  of  our  language  by 
proving  that  no  well-typed  program  that  is  capable  of  de¬ 
ducing  h  runs  in  time  bounded  by  a  polynomial  in  k  (the 
size  of  h).  Notice  that  such  a  result  appears  to  separate  V 
and  AfV  (see  pg.  373  of  [11]),  as  a  well-typed  nondetermin- 
ist.ic  program  can  guess  h  and  verify  its  guess  with  match 
in  time  linear  in  k.  But  our  result  actually  separates  rela¬ 
tivized  forms  of  V  and  NV  because  of  our  use  of  the  match 
oracle.  This  sort  of  separation  was  shown  long  ago  [1]. 

The  preceding  guarantee  is  the  best  one  can  do  in  the 
absence  of  any  probability  distribution  for  the  values  of  h. 
In  the  case  where  there  is  a  distribution,  we  can  talk  about 
the  probability  of  successfully  learning  h.  We  show  that  if 
the  value  of  h  is  chosen  with  respect  to  a  uniform  proba¬ 
bility  distribution,  then  for  any  well-typed  polynomial-time 
program  c,  the  probability  that  c  successfully  learns  h  goes 
to  zero  as  k  increases. 

One  might  conclude  that  equality  testing  is  safe  in  gen¬ 
eral,  and  that  we  could  simply  give  ei  =  e-2  type  L,  regard- 
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less  of  the  types  of  >  i  and  e 2. 2  However,  this  is  not  so;  it 
then  becomes  possible  to  leak  a  secret  in  linear  time. 

Finally,  we  consider  the  effect  of  adding  concurrency  to 
the  language.  Unlike  our  previous  work  [12,  14],  we  consider 
a  synchronous  form  of  concurrency,  so  that  programs  remain 
deterministic.  We  show  that  synchronous  concurrency,  even 
without  match  queries,  allows  well-typed  programs  to  leak 
secrets  in  linear  time. 

2  The  deterministic  language 

In  this  paper,  we  consider  a  deterministic  imperative  pro¬ 
gramming  language  with  a  query  primitive  match : 

( expr )  e  ::=  x  \  n  |  h  \  match(e)  \  ei  +  e?  | 
ei  <  62  |  ei  =  e2  |  ei  yl  e2 

( cmds )  c  ::=  skip  |  x  :=  e  |  ci;c2  | 
if  e  then  ci  else  ci  | 
while  e  do  c 

Metavariable  x  ranges  over  identifiers  that  are  mapped  by 
memories  to  integers;  n  ranges  over  integer  literals.  Integers 
are  the  only  values;  we  use  0  for  false  and  nonzero  for  true. 
The  special  identifier  h  is  a  read-only  variable  whose  binding 
we  assume  is  secret. 

A  standard  transition  semantics  for  the  language  is  given 
in  Figure  1.  A  memory  p.  is  a  mapping  from  identifiers  to 
integers.  We  assume  that  expressions  are  evaluated  atom¬ 
ically.  Thus  we  simply  extend  a  memory  in  the  obvious 
way  to  map  expressions  to  integers,  writing  p(e)  to  de¬ 
note  the  value  of  expression  e  in  memory  /a.  We  say  that 
p{match{e))  =  1  iff  p(h)  =  /((e);  otherwise  p(match{e))  =  0. 
Note  that  expressions  do  not  have  side  effects,  nor  do  they 
contain  partial  operations  like  division.  Thus  p(e)  is  defined 
for  all  e,  so  long  as  every  identifier  in  e  is  in  dom(p). 

These  rules  define  a  transition  relation  — >  on  configu¬ 
rations.  A  configuration  is  either  a  pair  (c,  fi)  or  simply  a 
memory  p.  In  the  first  case,  c  is  the  command  yet  to  be 
executed;  in  the  second  case,  the  command  has  terminated, 
yielding  final  memory  p.  As  usual,  we  define  k  — >°  k,  for 
any  configuration  k,  and  k  — >k  k"  ,  for  k  >  0,  if  there  is  a 
configuration  k'  such  that  k  — >k_1  k'  and  k'  — >  k" . 

3  Relative  secrecy 

We  begin  by  looking  at  relative  secrecy  properties  that  can 
be  proved  for  programs  that  access  h  via  match  queries  only. 
Then,  in  Section  5,  we  give  a  reduction  that  extends  these 
results  to  programs  that  may  have  free  occurrences  of  h. 
The  reduction  requires  that  these  programs  be  well  typed 
under  the  type  system  of  Section  4. 

The  first  property  is  an  intractability  guarantee: 

Theorem  3.1  There  is  no  deterministic  command  capable 
of  copying  the  k-bit  integer  value  of  h  into  a  variable  l  in 
time  polynomial  in  k,  for  all  k,  if  h  is  accessed  via  match 
queries  only. 

Proof.  Suppose  c  runs  in  polynomial  time  p(k)  where  k  is 
the  number  of  bits  needed  to  encode  the  value  of  h.  Choose 
k  large  enough  so  that  2k  >  p{k)  +  1.  Since  c  can  make  at 
most  p(k)  queries  and  2k  >  p(k)  + 1,  there  are  k- bit  integers 

2 In  contrast,  <  is  clearly  dangerous,  as  it  allows  a  secret  to  be 
computed  by  binary  search. 


i  and  j  such  that  i  ^  j  and  neither  i  nor  j  is  queried  by  c. 
Now  c  must  copy  the  value  i  into  l  when  the  value  of  h  is  i. 
But  if  it  does,  then  it  also  copies  i  into  l  when  the  value  of 
h  is  j,  since  it  is  deterministic  and  does  not  query  j.  □ 

Notice  that  if  commands  were  nondeterministic,  then  a  com¬ 
mand  could  nondeterministically  choose  an  integer  n  and 
then  issue  a  query  match(n).  If  the  query  succeeds,  it  copies 
n  into  l.  So  we  can  always  copy  the  value  of  h  in  nondeter- 
ministic  polynomial  time. 

The  preceding  guarantee  is  the  best  one  can  do  in  the 
absence  of  any  probability  distribution  on  the  values  of  h, 
or  in  other  words,  when  its  values  are  chosen  nondetermin- 
ist.ically.  When  there  is  a  probability  distribution  for  h,  we 
can  talk  about  the  probability  of  copying  h.  Indeed,  in  this 
case,  a  command  might  succeed  often,  perhaps  even  most 
of  the  time,  in  copying  h.  However,  one  can  show  that  if 
access  to  h  is  limited  to  match  queries,  then  any  determin¬ 
istic,  polynomial-time  command  for  copying  h  to  a  variable 
l  will  succeed  with  only  negligible  probability  for  uniformly- 
distributed  and  sufficiently-large  values  of  h. 

Suppose  c  is  a  deterministic  command  that  runs  in  poly¬ 
nomial  timep(fc)  and  accesses  a  constant  h  via  match  queries 
only.  And  suppose  the  value  of  h  is  a  k- bit  integer,  cho¬ 
sen  with  respect  to  some  probability  distribution  d  on  k- bit 
integers.  Finally,  assume  that  k  is  large  enough  so  that 
2k  >  p(k).  Now,  as  c  runs,  it  makes  match  queries  in  an 
attempt  to  learn  h.  If  any  such  query  gets  result  1,  then  c 
can  put  the  correct  value  into  l  and  halt.  But  in  p(k)  time, 
c  can  query  at  most  p(k)  out  of  the  2 k  possible  values  of 
h.  Since  2k  >  p(k),  all  of  c’s  queries  might  get  result  0.  In 
such  a  run,  c  must  eventually  halt  and  put  some  value  v 
into  l.  But  note  that  since  c  is  deterministic  and  accesses 
h  only  through  match  queries,  c’s  behavior  will  be  exactly 
the  same  if  the  value  of  h  is  any  of  the  unqueried  integers — 
in  any  such  run,  c  will  make  exactly  the  same  sequence  of 
queries  and  will  finally  write  the  same  default  value  v  into 
l.  That  is,  for  any  such  c  we  can  identify  a  set  S  of  at  most 
p(k)  integers  that  c  will  query,  and  a  default  value  v  that  c 
will  write  into  l  if  all  of  the  queries  get  result  0.  It  follows 
that  c  will  be  successful  in  copying  the  value  of  h  into  l  if 
and  only  if  the  value  of  h  is  in  S  U  {(>}. 

Given  distribution  d,  how  can  c  maximize  its  probability 
of  success?  Clearly,  the  best  strategy  is  to  choose  S  and  v 
so  that  d(S  U  {o})  is  as  large  as  possible.  This  can  be  done 
by  choosing  the  p(k)  +  1  most  likely  values  under  d,  putting 
p{k)  of  them  into  S,  and  using  the  remaining  value  as  v. 

The  probability  of  success  may  be  high  if  either  k  is  too 
small  or  the  probability  distribution  d  is  severely  skew.  But 
if  d  is  a  uniform  distribution,  so  that  all  possible  values  of 
h  are  equally  likely,  then  for  any  choice  of  p(k)  +  1  elements 
of  S  U  {u}  we  have 

d(SU{«})  =  ^. 

(Indeed,  we  can  see  that  a  uniform  distribution  minimizes 
c’s  probability  of  success.)  Hence  we  have  proved 

Theorem  3.2  If  the  value  of  h  is  a  uniformly  distributed 
k-bit  integer  and  c  is  a  deterministic  command  that  runs  in 
polynomial  time  p(k)  and  accesses  h  via  match  queries  only, 
then  the  probability  that  c  successfully  copies  the  value  of  h 
into  a  variable  l  is  at  most  ( p[k )  +  l)/2*. 
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Figure  1:  Transition  semantics 


4  The  type  system 

Now  we  wish  to  allow  programs  to  access  h  directly,  rather 
than  just  via  match  queries.  Of  course,  a  program  could 
then  simply  do  l  :=  h,  so  we  need  another  mechanism  to 
ensure  that  h  is  not  leaked.  For  this  purpose,  we  impose  a 
type  system. 

The  types  are  stratified  into  data  and  phrase  types: 

( data  types)  r  ::=  L  \  H 

( phrase  types)  p  ::=  r  |  r  var  |  r  cmd 

The  data  types  are  just  the  security  levels  low  and  high.  The 
rules  of  the  type  system  are  given  in  Figure  2.  They  just 
extend  the  system  of  [15]  with  a  rule  for  match.  The  rules 
allow  us  to  prove  typing  judgments  of  the  form  7  h  p  :  p  as 
well  as  subtyping  judgments  of  the  form  pi  C  p2.  Here  7 
is  a  typing  that  maps  identifiers  to  types  of  the  form  r  var , 
except  for  h  which  is  mapped  by  every  typing  to  H.  The 
typing  rules  for  the  remaining  binary  operators  are  similar 
to  that  for  eq.  Intuitively,  7  classifies  variables  as  either 
high  or  low,  and  the  typing  rules  prevent  information  from 
flowing  from  high  variables  to  low  variables. 

Notice  that  rule  QUERY  allows  one  to  assign  type  L  to 
a  query  even  though  that  query  is  against  a  high  constant. 
It  is  this  rule  that  breaks  Noninterference  [15],  for  it  allows 
some  information  about  a  secret  to  become  public.  Also  note 
that  the  rule  allows  restricted  access  to  a  high  constant  in 
the  guard  of  a  while  loop  or  conditional  without  requiring 
the  body  or  branches  to  be  typed  as  H  cmd.  This  provides 
more  flexibility  in  programming,  and  indeed  it  now  becomes 
possible  to  write  a  conditional  that,  through  an  indirect  flow, 


copies  a  one-bit  secret  to  a  low  variable.  But  match  is  clearly 
unsafe  with  a  secret  of  only  one  bit! 

5  The  reduction 

We  reduce  the  problem  of  learning  the  value  of  h,  using  a 
deterministic  program  whose  access  to  h  is  limited  to  match 
queries,  to  that  of  learning  the  value  of  h  using  a  well-typed 
deterministic  program  (whose  access  to  h  is  not  limited  to 
queries).  More  precisely,  we  show  that  every  well- typed  com¬ 
mand’s  computation  with  respect  to  low  variables  can  be 
simulated,  with  no  increase  in  time  complexity,  by  a  com¬ 
mand  whose  access  to  h  is  restricted  to  match  queries.  So 
learning  a  secret  with  any  well-typed  program  is  as  hard 
as  learning  it  with  only  match  queries  at  your  disposal. 
Hence  the  relative  secrecy  properties  apply  to  well-typed 
commands.  If  a  program  is  not  well  typed  then  all  bets  are 
off,  as  it  could  well  be  the  case  that  a  secret  is  easily  leaked 
via  a  direct  or  indirect  flow. 

We  begin  with  some  definitions: 

Definition  5.1  Memories  p  and  v  are  equivalent  with  re¬ 
spect  to  a  typing  7,  written  p~~,v,  if  dom(p)  =  dom(v)  = 
dom{ 7)  and  p(x)  =  v(x)  for  all  x  such  that  j(x)  =  L  var. 

This  definition  requires  two  memories  to  agree  on  the  con¬ 
tents  of  all  low  variables. 

Definition  5.2  We  say  that  a  command  c  is  a  low  com¬ 
mand  with  respect  to  7  if  7(2:)  =  L  var  for  every  free  iden¬ 
tifier  x  in  c.3 

3  Note  that  this  is  not  the  same  as  saying  that  the  command  has 
type  L  cmd ,  as  every  well-typed  command  has  type  L  cmd. 
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7  (h)  =  H 

7  1 -  h:H 

(r-val) 

'j{x)  =  t  var 

7  h  x  :  T 

(skip) 

7  b  skip  :  H  cmd 

(eq) 

7  b  ei  :  r,  7  b  62  :  r 

7  b  ei  =  e-2  :  r 

(query) 

7  b  e  :  L 

7  b  match(e)  :  L 

(assign) 

'j{x)  =  t  var,  7  b  e  :  t 

7  b  x  :=  e  :  T  cmd 

(compose) 

7  b  ci  :  t  cmd,  7  b  C2  :  r  cmd 

7  b  ci ;  C2  :  r  c?nd 

(if) 

7  b  e  :  T,  7  b  ci  :  r  cmd,  7  b  C2 
7  b  if  e  then  ci  else  C2  :  T  cmd 

(while) 

7  b  e  :  T,  7bc:r  cmd 

7  b  while  e  do  c  :  r  c?nd 

(base) 

LCH 

(reflex) 

P^P 

(CMD“) 

Tl  C  T2 

T2  cmd  C  ti  cmd 

(subtype) 

7  b  p  :  pi,  pi  C  p2 

7  b  p  :  p2 

Figure  2:  Typing  and  subtyping  rules 
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Definition  5.3  We  say  that  a  command  c'  is  a  low  simu¬ 
lation  of  a  command  c  with  respect  to  7  if  c  is  a  low  com¬ 
mand  relative  to  7  and  for  all  p  where  dom(p)  =  dom{ 7), 
whenever  {c,  p)  — >n  p  ,  there  is  a  p"  and  m  such  that 
(c1 ,  p)  — ¥m  p" ,  p'~-yp"  and  m  <n. 

The  reduction  is  given  by  the  following  theorem. 

Theorem  5.1  If  c  is  a  well-typed  command  with  respect  to 
7,  then  there  is  a  low  simulation  of  c  with  respect  to  7. 

A  proof  of  the  theorem  is  given  in  the  Appendix.  The 
essence  of  the  proof  is  that  commands  of  type  H  cmd  cannot 
affect  any  low  variable.  Therefore,  they  can  be  replaced  by 
the  skip  command.  Commands  that  cannot  be  given  type 
H  cmd  are  retained.  The  result,  is  a  command  that  preserves 
the  computation  on  low  variables  and  runs  in  time  bounded 
by  that  of  the  original  command. 

Since  a  low  command  is  limited  to  accessing  h  via  match 
queries,  we  have  the  following  corollaries: 

Corollary  5.2  There  is  no  well-typed  deterministic  com¬ 
mand  capable  of  copying  the  k-bit  integer  value  of  h  to  a  low 
variable  in  time  polynomial  in  k,  for  all  k. 


in  [10]  (see  pg.  640).  The  default  is  to  avoid  multiplication 
when  certain  bits  of  a  key  are  zero. 

The  essence  of  this  sort  of  attack  can  be  formulated 
within  the  synchronous  concurrent  model.  To  formulate  it 
concretely,  let  us  introduce  the  bitwise  operators  "  (ones 
complement),  &  (bitwise  and),  I  (bitwise  or)  and  >>  (right 
shift).  Typing  rules  for  these  operators  are  similar  to  that 
of  rule  eq.  We  also  take  the  liberty  to  introduce  a  while 
loop  with  empty  body.  Now  suppose  h  stores  a  k- bit  secret 
that  is  being  inspected  bitwise  by  a  legitimate  thread  that 
simply  loops  through  all  bits,  doing  some  computation  if  a 
bit  is  nonzero  and  nothing  otherwise.  Think  of  the  thread 
as  an  implementation  of  an  encryption  algorithm  where  less 
time  is  required  if  a  bit  of  the  k- bit  secret  key  is  zero.  The 
inspection  thread  is  given  by  the  following  command: 

while  mask  !=  0 

if  h  &  mask  then 
skip; 
skip; 
skip; 
skip 
fi 

mask  : =  mask  >>  1 


Corollary  5.3  If  the  value  of  h  is  a  uniformly  distributed 
k-bit  integer  and  c  is  a  well-typed  deterministic  command 
that  runs  in  polynomial  time  p{k),  then  the  probability  that 
c  successfully  copies  the  value  of  h  into  a  low  variable  is  at 
most  ( p(k )  +  l)/2k . 


We  set  up  2 k  attack  threads,  one  pair  for  each  bit  of  the 
secret.  Each  is  responsible  for  setting  a  particular  bit  of  an 
integer  stored  in  low  variable  l  which  is  where  the  secret  is 
leaked.  If  k  =  8,  for  instance,  then  for  the  most  significant 
bit,  we  have  the  threads: 


Thus  we  have  shown  that  the  secrecy  of  h  is  (practically 
speaking)  preserved  even  if  programs  are  allowed  to  make 
match  queries  freely.  One  might  conclude  from  this  that 
equality  testing  is  harmless  in  general.  However,  this  is  not 
so.  If  we  allow  general  equality  tests  among  high  expressions 
to  have  type  L,  then  we  can  leak  h  in  linear  time: 

l  :=  0; 

mask  :=  2k~1; 

while  mask  yf  0  do 
b  :=  h  &  mask; 
if  b  =  mask  then 
l  :=  l  |  mask; 
mask  :=  mask  3>  1 

6  Synchronous  concurrency 

Now  consider  a  deterministic,  multi-threaded  semantics 
where  all  threads  execute  simultaneously  and  synchronously. 
Threads  are  commands  that  communicate  via  a  shared 
global  memory.  Every  thread  of  a  multi-threaded  program 
can  make  one  transition,  according  to  the  semantics  of  Fig¬ 
ure  1,  in  a  given  clock  cycle.  At  each  step,  parallel  reads  are 
allowed  but  not  parallel  writes.  The  latter  situation  causes 
an  evaluation  to  get  stuck. 

The  synchronous  behavior  of  the  model  provides  well- 
typed  commands  with  a  timing  channel  that  can  be  ex¬ 
ploited  to  leak  a  secret  perfectly  in  time  linear  in  its  size. 
Examples  of  multi-threaded  programs  capable  of  doing  this 
can  be  found  in  timing  attacks  on  implementations  of  cryp¬ 
tography  [7].  Here  there  are  bit-wise  operations  on  a  secret 
key  and  one  exploits  the  fact  that  the  implementation  is  op¬ 
timized  according  to  certain  bits  of  the  key.  An  example  is 
the  C  implementation  of  the  block  cipher  algorithm  IDEA 


while  mask  !=  128 
while  mask  ==  128 
1  :=  1  I  128 


while  mask  ! =  128 

skip ; 
skip ; 
skip ; 
skip ; 

1  :=  1  &  "128 


There  would  be  another  identical  pair  for  the  next  bit,  ex¬ 
cept  they  would  spin  while  waiting  for  mask  to  become  64, 
and  so  on.  The  inspection  and  attack  threads  share  mask 
which  is  a  low  variable.4  Further,  all  threads  are  well  typed 
and  every  attack  thread  is  a  low  command  which  we  would 
expect  since  an  attack  would  not  have  direct  access  to  vari¬ 
ables  storing  secrets  anyway.  We  have  set  up  a  race  where 
the  thread  that  sets  a  bit  of  l  to  b  wins  the  race  iff  the 
corresponding  bit  of  h  is  ->6. 

To  illustrate  the  behavior,  suppose  the  first  two  bits  of 
h  are  01  and  that  mask  is  initially  128.  The  trace  of  the 
inspection  thread  on  this  input  is  given  in  the  first  column 
of  Figures  3  and  4.  Figure  3  shows  the  trace  of  a  thread  pair 
attacking  the  first  bit  of  h  while  Figure  4  shows  the  trace  of 
a  thread  pair  attacking  the  second  bit.  The  type  system  is 
not  equipped  to  deal  with  this  kind  of  model  where  timing 
observations  can  be  made.  Tricks  like  atomicity  [14]  do  not 
help  here  because  threads  in  effect  share  a  real-time  clock! 

If  one  views  the  preceding  multi-threaded  program  as  a 
probabilistic  algorithm  then 

Pr[/i  =  n  |  l  —  n]  =  1 

4Making  mask  a  high  variable  is  not  a  good  idea  here  because  then 
no  assignments  to  low  variables  would  be  allowed  in  the  body  of  the 
loop.  This  in  turn  would  hamper  an  implementation  of  encryption. 
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while  mask  ! =  0 

while  mask  != 

128 

while  mask  != 

128 

if  h  &  mask  then 

while  mask  == 

128 

skip 

mask  : =  mask  >>  1 

while  mask  == 

128 

skip 

while  mask  !=  0 

while  mask  == 

128 

skip 

if  h  ft  mask  then 

1  :=  1  1  128 

skip 

skip 

1  :=  1  &  "128 

Figure  3 

Timing  attack  on  first  bit  of  h 

while  mask  !=  0 

while  mask  != 

64 

while  mask  != 

64 

if  h  &  mask  then 

while  mask  != 

64 

while  mask  != 

64 

mask  : =  mask  »  1 

while  mask  ! = 

64 

while  mask  ! = 

64 

while  mask  ! =  0 

while  mask  != 

64 

while  mask  != 

64 

if  h  ft  mask  then 

while  mask  == 

64 

skip 

skip 

while  mask  == 

64 

skip 

skip 

while  mask  == 

64 

skip 

skip 

while  mask  == 

64 

skip 

skip 

while  mask  == 

64 

1  :=  1  ft  "64 

mask  :=  mask  >>  1 

while  mask  == 

64 

while  mask  ! =  0 

while  mask  == 

64 

if  h  ft  mask  then 

1  :=  1  1  64 

Figure  4: 

Timing  attack  on 

second  bit  of  h 

for  all  n.°  In  other  words,  one  can  be  certain  that  h  stores 
a  particular  secret  if  the  algorithm  says  so.  This  is  an  ideal 
probabilistic  algorithm. 

But  consider  an  interleaving  semantics  where  at  each 
step  of  executing  a  multi-threaded  program,  exactly  one 
thread  is  chosen  to  execute  for  a  single  transition.  Now 
multi-threaded  programs  are  nondeterministic.  If  at  every 
step,  every  thread  has  a  nonzero  probability  of  being  se¬ 
lected  by  a  scheduler,  then  Pr[/i  =  n  \  l  =  n]  <  1,  for  all  n, 
unless  Pr[ft  =  n]  =  1.  That’s  because  the  final  value  of  l 
can  be  any  value  with  nonzero  probability,  regardless  of  h. 
Each  value  of  mask  will  be  considered,  allowing  the  thread 
pair  for  the  bit  in  question  to  execute,  and  these  two  threads 
can  complete  in  either  order  with  nonzero  probability.  So 
Pr[Z  =  n  |  h  ^  n\  >  0. 

The  example  shows  that  there  are  attacks  that  are 
stronger  in  a  synchronous  concurrent  model  than  in  a  prob¬ 
abilistic  interleaving  one.  For  each  new  model,  one  needs  to 
investigate  the  feasibility  of  revealing  secrets. 

7  Discussion 

It  has  long  been  recognized  that  practical  information  flow 
control  must  allow  for  declassifying  information.  An  exam¬ 
ple  is  a  simple  password  checker.  It  must  indicate  whether 
a  given  string  matches  a  user’s  password  in  a  password  file. 
Information-flow  control  would  prohibit  the  result  of  such 
an  attempt  from  being  observed  by  an  arbitrary  user.  One 
way  around  this  restriction  is  to  allow  privileged  users  to 
explicitly  declassify  the  result,  allowing  some  information  to 
leak  [9].  If  a  password  checker  merely  returns  the  result  of 
a  match  query,  then  the  declassification  could  be  justified 
knowing  that  any  attempt  to  exploit  the  checker  in  order 

5When  we  run  the  algorithm  and  it  terminates  with  l  =  n.  we 
want  to  be  able  to  conclude  that  h  =  n  with  some  probability.  The 
conditional  probability  Pr[i  =  n  |  h  =  n]  is  wrong  for  this  purpose.  If 
I ' r  l  —  n  |  h  —  n]  =  .99,  say,  and  we  run  the  algorithm  for  some  value 
of  h  and  it  terminates  with  l  =  n,  then  this  does  not  imply  h  =  n  with 
probability  .99.  The  same  argument  applies  to  probabilistic  primality 
testing  algorithms  [2]. 


to  learn  a  password  is  subject  to  the  limitations  of  Theo¬ 
rems  3.1  and  3.2. 

Note  we  have  said  nothing  about  the  role  of  the  type 
system  at  this  point.  Type  checking  would  be  performed 
on  any  program  that  updates  the  password  file,  since  this 
is  where  new  passwords  are  input.  As  long  as  the  password 
checker  merely  returns  the  result  of  a  match  query,  password 
updating  is  well  typed,  and  passwords  are  stored  in  a  secret 
(high)  file,  the  password  system  as  a  whole  is  secure  in  the 
sense  that  it  is  subject  to  the  limitations  of  Corollaries  5.2 
and  5.3. 

But  what  can  we  say  about  the  security  of  a  system  in 
which  there  is  a  public  file  containing  the  images  of  the 
passwords  under  some  one-way  function?  The  reduction 
of  Theorem  5.1  can  also  be  used  to  argue  for  security  in 
this  case.  Suppose  we  add  to  our  deterministic  language  a 
function  /  that  we  believe  is  a  one-way  function  [11]  and 
a  constant  fh  bound  to  the  image  of  h  under  /.  That  is, 
/i(// ()  =  /((/(h)),  for  any  memory  fi.  Further,  suppose  they 
are  typed  as  7  h  fh:  L,  and  for  any  expression  e, 

7  h  e  :  T 
7  /(e)  :  r 

One  cannot  allow  /(e)  to  be  typed  low  unless  e  can  be  typed 
as  a  low  expression.  Otherwise,  we  can  copy  h  into  a  low 
variable  l  in  linear  time  using  a  well-typed  program  similar 
to  the  one  in  Section  5: 

l  :=  0; 

?nask  :=  2*_1; 

while  mask  yf  0  do 

if  f(mask)  =  f(h  &  mask)  then 
l  :=  l  |  mask ; 
mask  :=  mask  1 

Notice  that  this  program  might  fail  to  copy  every  bit  of  h  due 
to  a  collision  caused  by  /.  But  this  would  be  unlikely  if  /  is 
indeed  a  one-way  function.  Also  note  that  fh  makes  match 
unnecessary:  if  7  b  e  :  L  then  the  expression  fh  =  /(e)  can, 
practically  speaking,  be  used  in  place  of  match(e). 
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We  wish  to  argue  for  the  security  of  any  well-typed  pro¬ 
gram  c  that  uses  /.  Now  c  may  have  free  occurrences  of  h 
and  can  call  /  according  to  the  typing  rules  above.  Suppose 
that  c  can  copy  h  into  a  low  variable,  for  all  A-bit  values  of  h , 
in  time  t(k).  By  Theorem  5.1,  we  can  construct  a  low  simu¬ 
lation  c  of  c  that  does  the  same  thing  as  efficiently.  That  is, 
given  only  fh  and  all  calls  to  /  that  c  makes  involving  only 
low  variables,  c  can  also  copy  h  in  t(k)  time.  In  effect,  c  is 
an  algorithm  for  deducing  h  from  fh  using  some  number  (as 
a  function  of  k)  of  calls  to  /.  So  any  lower  bound  on  this 
problem  applies  to  copying  h  with  a  well-typed  program. 

Although  we  suggest  above  that  match  could  be  replaced, 
the  preceding  argument  does  not  subsume  our  results  about 
the  security  of  programs  that  access  h  using  match  only.  For 
instance,  the  preceding  argument  about  f  does  not  prove  an 
intractability  result  for  programs  limited  to  accessing  h  via 
fh,  as  Theorem  3.1  does  for  match.  We  have  only  argued 
that  the  hardness  of  copying  h  using  a  well-typed  program 
with  references  to  fh  and  calls  to  /  rests  squarely  upon  the 
hardness  of  inverting  /. 

Turing  reductions  have  also  been  used  in  proving  the 
security  of  RSA-based  signature  schemes  [3,  4]  and  crypto¬ 
graphic  protocols  [6,  8].  Again  the  basic  idea  is  to  prove  that 
the  security  of  a  protocol  rests  on  the  strength  of  its  crypto¬ 
graphic  primitives.  Our  synchronous  concurrency  example 
shows  that  if  an  intruder  can  observe  the  timing  behavior  of 
an  implementation  of  a  cryptographic  operation,  then  the 
specification  of  a  protocol  that  uses  the  operation  cannot 
realistically  treat  it  as  primitive.  A  reduction  may  not  exist 
because  of  timing  observations,  as  our  example  shows. 

8  Conclusion 

Our  research  is  aimed  at  characterizing  secrecy  in  systems 
with  inherent  leaks,  for  example,  those  that  use  authentica¬ 
tion  based  on  shared  secrets.  Noninterference  is  too  strong 
for  such  systems.  Instead,  we  propose  a  relative  secrecy 
proof  that  takes  practical  security  parameters  (e.g.  key  size 
and  randomness)  into  consideration. 
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9  Appendix 

The  proofs  of  Theorem  5.1  and  the  Simple  Security  and 
Confinement  lemmas  are  complicated  a  bit  by  subtyping. 
Assume,  without  loss  of  generality,  that  all  typing  deriva¬ 
tions  end  with  a  single  (perhaps  trivial)  application  of  rule 
SUBTYPE. 

Theorem  5.1  If  c  is  a  well-typed  command  with  respect  to 
7,  then  there  is  a  low  simulation  of  c  with  respect  to  7. 

Proof.  The  proof  is  by  induction  on  the  structure  of  c. 

We  first  consider  the  case  when  7  h  c  :  H  cmd.  In  this 
case,  we  can  simply  let  the  low  simulation  of  c  be  skip.  For 
by  the  Confinement  lemma  below,  c  does  not  assign  to  any 
variable  x  for  which  7(3;)  =  L  var.  Hence  if  (c,  pi)  — >n  p, 
then  p'~^p.  And  we  have  (skip,//)  — p,  by  rule  no-op. 
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Finally,  we  note  that  n  >  1  and  that  skip  is  a  low  command 
with  respect  to  7. 

Next  we  consider  the  case  when  7  I /  c  :  H  cmd.  In  this 
case  we  must  have  7  h  c  \  L  cmd  (since  c  is  well  typed  under 
7)  and  the  derivation  must  end  with  a  trivial  application 
of  rule  subtype  (since  otherwise  we  would  have  7  b  c  : 
H  cmd).  We  now  consider  the  possible  forms  of  c: 

Case  skip.  Since  7  b  skip  :  H  cmd .  this  case  has  already 
been  handled. 

Case  x  :=  e.  By  the  discussion  above,  there  is  a  deriva¬ 
tion  of  7  b  x  :=  e  :  L  cmd  that  ends  with  an  application  of 
rule  assign.  This  implies  that  7(2-)  =  L  var  and  7  b  e  :  L. 
So,  by  the  Simple  Security  lemma  below,  7 (y)  =  L  var  for 
every  identifier  y  free  in  e.  Therefore  x  :=  e  is  itself  a  low 
command  relative  to  7,  and  x  :=  e  is  thus  (trivially)  a  low 
simulation  of  itself. 

Case  if  e  then  ci  else  C2.  Again  by  the  discussion 
above,  there  is  a  derivation  of  7  b  if  e  then  ci  else  c2  : 
L  cmd  that  ends  with  an  application  of  rule  if.  Hence 
7  b  e  :  L  and  both  ci  and  c2  are  well  typed  with  respect  to 
7.  Then  by  induction  there  exist  commands  ci  and  c2  which 
are  low  simulations  of  ci  and  c2,  respectively,  with  respect 
to  7.  We  claim  that  if  e  then  ci  else  c2  is  a  low  simulation 
of  if  e  then  ci  else  c2  with  respect  to  7.  First,  note  that 
it  is  a  low  command  under  7,  since  (by  the  Simple  Security 
lemma)  7(2:)  =  L  var  for  every  free  identifier  x  in  e.  Next, 
suppose  that  g  is  a  memory  such  that  dom(p)  =  dom (7) 
and  (if  e  then  ci  else  c2,p)  — »"  p  .  Then  if  p(e)  0, 
the  evaluation  has  the  form 

(if  e  then  c  1  else  c2,p)  — t  (c  1 ,  ju)  — >-"_1  p . 

Therefore,  since  ci  is  a  low  simulation  of  ci,  there  exists  a 
memory  p"  and  an  integer  m  such  that  (c\,p)  — >m  p" . 
p'  ~2p"  and  m  <  n  —  1.  Therefore,  by  rule  branch, 

(if  e  then  ci  else  c2,p)  — >  (c’l.p)  — >m  p" . 

And  m  +  1  <  n.  The  argument  is  similar  in  the  case  when 

/'(f)  =  0. 

Case  ci;  c2.  As  above,  there  is  a  derivation  of  7  b  ci;  c2  : 
L  cmd  that  ends  with  an  application  of  rule  compose,  im¬ 
plying  that  ci  and  c2  are  well  typed  under  7.  So  by  in¬ 
duction  there  exist  commands  c(  and  c2  which  are  low  sim¬ 
ulations  of  ci  and  c2,  respectively,  with  respect  to  7.  We 
claim  that  c( ;  c2  is  a  low  simulation  of  ci ;  c2  under  7.  For 
suppose  that  p  is  a  memory  with  dom(p)  =  dom(j)  and 
(ci ;  ci ,  p)  — >n  p! .  By  Lemma  9.4,  there  exist  k  and  p"  such 
that  0  <  k  <  n.  (ci,p)  — >k  p" ,  and  (c2,p")  — >R,_*  ^ 
Since  ci  is  a  low  simulation  of  ci,  there  exist  v"  and  m 
such  that  (c\,p)  — >m  v" ,  and  m  <  k.  And  since 

c'2  is  a  low  simulation  of  c2 ,  there  exist  1/  and  j  such  that 
( c2.p ")  — >3  v  .  p'~jv',  and  j  <  n  —  k. 

Now  ci  is  well  typed  under  7  and  therefore  h  is  not 
assigned  to  in  ci  because  7 (h)  =  H  (i.e.  h  is  not  a  vari¬ 
able).  So  p" (h)  =  11(h).  Further,  c't  is  a  low  command, 
so  v" (h)  =  11(h).  Hence  p"  (h)  =  v"(h).  Since  p" 
fi" (h)  =  v" (h),  and  c2  is  a  low  command,  we  have 

(c'2,u")  n' 6 

Therefore,  by  Lemma  9.5,  (c(-,c2,fi)  — >m+i  And  m  + 

j  <  k  +  n  —  k  =  n. 

6Note  that  this  conclusion  does  not  follow  simply  from  the  facts 
that  (c).  n"  )  — yJ  v'  and  /./ ' ' -- .  n" .  because  c2  may  contain  match 
queries. 


Case  while  e  do  ci.  As  above,  there  is  a  derivation 
of  7  b  while  e  do  ci  :  L  cmd  ending  with  rule  while, 
which  implies  that  7  b  e  :  L  and  ci  is  well  typed  with 
respect  to  7.  By  induction,  there  is  a  low  simulation  c\ 
of  ci  with  respect  to  7.  We  claim  that  while  e  do  c\  is  a 
low  simulation  of  while  e  do  ci  with  respect  to  7.  First, 
it  is  a  low  command  under  7,  since  (by  the  Simple  Secu¬ 
rity  lemma)  7(21)  =  L  var  for  every  free  identifier  x  in  e. 
Next,  suppose  y  is  a  memory  with  dom(fi)  =  dom( 7)  and 
(while  e  do  ci,/x)  — >n  fi  ■  Then  by  Lemma  9.1,  there  ex¬ 
ist  v  and  m  such  that  (while  e  do  ci,/x)  — >m  v' , 
and  m  <  n.  □ 

Lemma  9.1  Suppose  that  c  is  a  low  simulation  of  c  with 
respect  to  7,  c  is  well  typed  under  7,  dom(p)  =  dom( 7),  and 
(while  e  do  c,  p)  — >n  pt  .  Then  there  exist  v  and  m  such 
that  (while  e  do  c  ,  fi)  — »m  v  ,  p' ~1v' ,  and  m  <  n. 

Proof.  By  induction  on  n. 

If  n  =  1  then,  by  the  first  loop  rule,  p(e)  =  0  and  p  =  fi. 
So  (while  e  do  c' ,  p)  — >  p  by  the  first  loop  rule. 

Suppose  n  >  1.  Then  by  the  second  loop  rule,  we  have 

(while  e  do  c,  p)  — ►  (c;  while  e  do  c,p)  — >-”-1  p  . 

By  Lemma  9.4,  there  is  a  p"  and  k  such  that  (c,  p)  — >k  p" , 
(while  e  do  c,  p")  — >“  1  k  p  ,  and  0  <  k  <  n  —  1.  Since 
c1  is  a  low  simulation  of  c,  there  is  a  memory  v"  and  integer  i 
such  that  (c  ,p)  — b'  v" ,  p" and  i  <  k.  And  by  induc¬ 
tion,  there  is  a  v'  and  j  such  that  (while  e  do  c.p")  — >J 
v' ,  p  ^1v'  and  j  <  n  —  1  —  k. 

Now  c  is  well  typed  under  7  and  therefore  h  is  not  as¬ 
signed  to  in  c  because  7 (h)  =  H.  So  p" (h)  =  p(h).  Further, 
c'  is  a  low  command,  so  v"(h)  =  p(h).  Hence  p" (h)  =  v" (h). 
Since  p" ~7u" ,  p" (h)  =  v"(h),  and  while  e  do  c  is  a  low 
command,  we  have  (while  e  do  c',v" )  — P  v  .  Therefore 
by  Lemma  9.5, 

(c;  while  e  do  c',p)  — b+J  v' . 

And  by  the  second  loop  rule 

(while  e  do  c.p)  — >  (c;  while  e  do  c.p). 

Therefore,  (while  e  do  c.p)  — >'+J+1  v' ,  And  i  +  j  +  1  < 
k  +  (n  —  1  —  k)  +  1  =  n.  □ 

Lemma  9.2  (Simple  Security)  If  7  b  e  :  L  then  7(2;)  = 
L  var,  for  every  free  identifier  x  in  e. 

Proof.  By  induction  on  the  structure  of  e.  Since  H  £  L,  the 
derivation  of  7  b  e  :  L  ends  with  a  trivial  application  of  rule 
SUBTYPE. 

1.  Case  n.  The  lemma  holds  vacuously. 

2.  Case  x.  By  rule  rule  R-VAL,  7(2;)  =  L  var. 

3.  Case  match(e).  By  rule  QUERY,  we  have  7  b  e  :  L.  By 
induction,  7(2;)  =  L  var  for  every  free  identifier  x  in  e. 

4.  Case  ei  =  e2.  By  rule  eq,  7  b  ei  :  L  and  7  b  e2  :  L. 
By  induction,  7(2:)  =  L  var  for  every  free  identifier  x 
in  ei  and  e2.  The  other  binary  operators  are  handled 
similarly. 

□ 


Notice  here  a  departure  from  our  earlier  work.  We  can 
have  7  h  e  :  L  and  fi^-yfi1  yet  fife)  4  //(e),  if  /<  and  / / 
disagree  on  the  value  of  h.  This  fact  breaks  some  forms  of 
Noninterference  introduced  in  our  earlier  work,  specifically 
[12,  13,  14].  These  forms  are  essentially  bisimulations  which 
are  sensitive  to  any  difference  in  the  value  of  h. 

Lemma  9.3  (Confinement)  If  7  b  c  :  H  cmd,  then  we 
have  'y(x)  =  H  var,  for  every  variable  x  assigned  to  in  c. 

Proof.  By  induction  on  the  structure  of  c.  Since  L  cmd 
H  cmd ,  the  derivation  of  7  h  c  :  H  cmd  ends  with  a  trivial 
application  of  rule  subtype. 

1.  Case  skip.  The  lemma  holds  vacuously. 

2.  Case  x  :=  e.  By  rule  assign,  7(3-)  =  H  var. 

3.  Case  ci;  ci.  By  rule  compose,  we  have  7  h  ci  :  H  cmd 
and  7*  h  £2  :  H  cmd.  By  induction,  we  have  7(2:)  = 
H  var  for  every  variable  x  assigned  to  in  ci  and  in  ci- 

4.  Case  if  e  then  ci  else  ci.  By  rule  if,  we  have  7  b  ci  : 
H  cmd  and  7  h  C2  :  H  cmd.  By  induction,  we  have 
'y{x)  =  H  var  for  every  variable  x  assigned  to  in  ci  and 
in  C2- 

5.  Case  while  e  do  c.  By  rule  while,  we  have  7  h  c  : 
H  cmd.  By  induction,  we  have  7(2:)  =  H  var  for  every 
variable  x  assigned  to  in  c. 

□ 


The  next  two  lemmas  treat  the  behavior  of  sequential 
composition: 

Lemma  9.4  If  {c1-.c2.fi)  — P  fi  ,  then  there  exist  k  and  ft" 
such  that  0  <  k  <  j,  ( ci.fi )  — ¥k  fi"  and  (c2,p”)  — P~k  //• 


Proof.  By  induction  on  j.  If  the  derivation  begins  with  an 
application  of  the  first  sequence  rule,  then  there  exists  //' 
such  that  {ci.fi)  — >  fi"  and  (ci;  C2.f1)  — >  {c2.fi”)  — P-1 
fi  .  So  we  can  let  k  =  1.  And,  since  j  —  1  >  1,  we  have 
k  <  j. 

If  the  derivation  begins  with  an  application  of  the  sec¬ 
ond  sequence  rule,  then  there  exists  c[  and  fix  such  that 
{ci.fi)  — ¥  (4  ,fii)  and  (ci ;  c2.  fi)  — ¥  (ci;c2,pi)  — >j_1  ft1. 
By  induction,  there  exists  k  and  fi"  such  that  0  <  k  < 
j  —  1,  (. c'l.fii )  — >k  fi" .  and  {c2.fi")  — P ~1~k  ff .  Hence 


vfc  +  l 


{ci.fi)  — fi 
k  +  1  <  j.  □ 


and  {c2.f1" 


p-1 

,j-(k+l) 


And  0  < 


Lemma  9.5  If  {ci.fi) 
(ci;c2,/i)  — P+k  fi". 


¥3  fi  and  {c2.fi1) 


then 


Proof.  By  induction  on  j.  If  j  =  1  then  by  the  first 
sequence  rule,  {ci',C2.fi)  — ¥  (c2.fi)  — ¥k  ft".  Hence 

{Cl\  C2.fi)  - ^1+*  fi". 

If  j  >  1  then  there  exist  4  and  (n  such  that  {ci.fi)  — ¥ 
{c'l.fii)  — 4_1  fi  .  By  induction,  {c1.c2.fi1)  — yi~1+k 
fi" .  And,  by  the  second  sequence  rule,  (ci;  C2.fi)  — >■ 


(4 ;  c-2,  yUl ).  Hence  {(Mc2.fi)  — >j+k 


□ 
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